Path traversal / LFI to RCE

Inclusive of both Windows & Linux files

  1. If SSH is running in either Windows/Linux box then we can look for SSH keys in the user directories.

    Keys are named according to the algorithm that was used to generate them - if it was RSA, the file will be called id_rsa. Similarly it can be id_ecdsa, etc..

  2. In case of LFI, if we can access server logs (such as Apache), then we can try poisoning the logs to perform code execution and get reverse shell.

  3. Use data:// wrapper to execute commands (if website is using PHP).

  4. In case you have low-priv shell & LFI on web and you want to exploit LFI to get another privilege shell then for that look for writable directories with this command ->

    find / -type d -writable 2>/dev/null

  5. LFI in Windows Application -->

    To confirm its presence, mostly this works --> ..\..\..\windows\win.ini

    Look for interesting files like web.config in default locations such as ---->

    https://site.com/download?filename=..\\..\\..\\inetpub\\wwwroot\\web.config

    We don't always have to provide C:\ at the starting point !!

PreviousInitial EnumerationNextRFI to RCE

Last updated